Final security improvements based on code review

- Add LAYOUT_ABBR_SIZE constant to avoid magic numbers
- Track allocated argv entries to properly free on error
- Simplify strncat bounds checking using strlen for accuracy
- Ensure all allocated memory is freed in error paths

Co-authored-by: squassina <8495707+squassina@users.noreply.github.com>

src/fetch/common.h

@@ -26,6 +26,9 @@ int32_t isdescprocess(pid_t p, pid_t c) {
 	return (int32_t)c;
 }
 
+// Buffer size for layout abbreviations (must match kb_layout buffer in dwl-ipc.h)
+#define LAYOUT_ABBR_SIZE 32
+
 void get_layout_abbr(char *abbr, const char *full_name) {
 	// 清空输出缓冲区
 	abbr[0] = '\0';
@@ -33,8 +36,8 @@ void get_layout_abbr(char *abbr, const char *full_name) {
 	// 1. 尝试在映射表中查找
 	for (int32_t i = 0; layout_mappings[i].full_name != NULL; i++) {
 		if (strcmp(full_name, layout_mappings[i].full_name) == 0) {
-			strncpy(abbr, layout_mappings[i].abbr, 31);
-			abbr[31] = '\0';
+			strncpy(abbr, layout_mappings[i].abbr, LAYOUT_ABBR_SIZE - 1);
+			abbr[LAYOUT_ABBR_SIZE - 1] = '\0';
 			return;
 		}
 	}
@@ -74,8 +77,8 @@ void get_layout_abbr(char *abbr, const char *full_name) {
 		abbr[2] = '\0';
 	} else {
 		// 5. 最终回退：返回 "xx"
-		strncpy(abbr, "xx", 31);
-		abbr[31] = '\0';
+		strncpy(abbr, "xx", LAYOUT_ABBR_SIZE - 1);
+		abbr[LAYOUT_ABBR_SIZE - 1] = '\0';
 	}
 }